ZH2004-06SA (security advisory): ShopCartCGI v2.3 Remote arbitrary file retrieving

Published: 17 february 2004

Released: 17 february 2004

Name: ShopCartCGI

Affected Systems: 2.3

Issue: Remote arbitrary file retrieving

Author: G00db0y from Zone-h Security Labs - g00db0y (at) zone-h (dot) org [email concealed]

[ more ]  [ reply ]

YABB is a popular web-based bulletin board system, written in perl and
available from <http://www.yabbforum.com/>. While evaluating it, I
found a minor issue where an attacker trying to log in to the forums can
extract some useful information making his job easier than it needs to
be.

Most YABB fo

[ more ]  [ reply ]

Donato Ferrante

Application: Vizer Web Server
http://sourceforge.net/projects/vizerwebserver/

Version: 1.9.1

Bug: Denial Of Service

Author: Donato Ferrante
e-mail: fdonato (at) autistici (dot) org [email concealed]
web: www.autistic

[ more ]  [ reply ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200402-06
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
~

[ more ]  [ reply ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory GLSA 200402-05
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
~

[ more ]  [ reply ]

Based on our experiences in CVE, many advisories frequently have (a)
incomplete, (b) inaccurate, or (c) inconsistent information.

To use the eEye / ASN.1 issue as a *single* example of many that I run
across:

- eEye published 2 advisories that each said there were "multiple"
integer overflo

[ more ]  [ reply ]

"Drew Copley" <dcopley (at) eeye (dot) com [email concealed]> wrote:

> It is true that there are exploits which can go under the radar.
>
> I have a lot of fascination for these.
>
> Customers can't report to AV or security companies trojans they never
> even knew they had.
>
> The requirement level is high, however:

Yep, but

[ more ]  [ reply ]

Sorry, an error in the report.

Underlying OS: Windows (Any).

[ more ]  [ reply ]

In the recent and not-so-recent past I've seen claims of
non-exploitability of several discovered vulnerabilities
without actual facts to support them. A recent private email
discussion of this matter as well as the public post to this list
motivated me to reply with some thoughts on the issue.

Whi

[ more ]  [ reply ]

> reasons. I'd like to point out a couple examples, and
> promote discussion as to how this misinformation
> affects the security community and the non-experts who
> rely on this information to be valid.
This problem has been solved in several other sectors of buisness. If
you're relying on contrac

[ more ]  [ reply ]

On Mon, 16 Feb 2004, John Compton wrote:

> First of all, there is good news for those of you out there who are
> worried about the new ASN.1 vulnerability in Microsoft operating
> systems. It is NOT exploitable to run arbitrary code in anything
> approaching a real-world scenario.

With all due res

[ more ]  [ reply ]

In-Reply-To: <002a01c3f4c3$d6eecc40$381e5a0a@desanet69>

Correction... the code change needs to be as follows:

Find:

$quotemsg = $quote;

Change to:

if ( $quote && !is_numeric($quote) )

{

die('Go out C==|=======>');

}

$quotemsg = $quote;

----

Otherwise you won't be ab

[ more ]  [ reply ]

I wrote an article about how do bypass the Execution Path Analysis

used by PatchFinder utility, avoiding Windows 2k/XP rootkit detection.

http://www.geocities.com/embarbosa/bypass/bypassEPA.pdf

Soon, will be a version for Linux Kernel.

[ more ]  [ reply ]

I can verify that the attached Proof of Concept bitmap produced a DoS on
several IE versions, including

IE5.01 SP1 5.00.2614.3500 on Windows 2000 Pro SP2
IE5.01 SP1 5.00.2920.0000 on Windows 2000 Pro SP2
IE5.01 SP2 5.00.3315.1000 on Windows 2000 Pro SP2

The latter configuration is still supported

[ more ]  [ reply ]

Summary
YaBB SE is a PHP/MySQL port of the popular forum software YaBB (yet another
bulletin board).

An SQL injection vulnerability allows a remote attacker to execute malicious
SQL statements on the database remotely

Details
Vulnerable Systems:
* YaBB SE versions 1.5.4, 1.5.5, possibly others

T

[ more ]  [ reply ]

******** AllMyLinks PHP Code Injection vulnerability ********

Product : AllMyLinks

Vendor : www.php-resource.net

Date : February 14, 2004

Problem : PHP Code Injection

Vendor Contacted ? : No

************************** Source ****************************

in /include/footer.inc.php

-

[ more ]  [ reply ]

Well. the code doesn't exactly compile. A leak is a leak, and source isn't
exactly like binaries. You can see trojans if they exist.

----- Original Message -----
From: <LordInfidel (at) directionweb (dot) com [email concealed]>
To: <bugtraq (at) securityfocus (dot) com [email concealed]>
Sent: Saturday, February 14, 2004 1:47 AM
Subject: RE: W2K source "

[ more ]  [ reply ]

************************************************************************
************
Netwosix Linux Security Advisory #2004-0001 <http://www.netwosix.org>
------------------------------------------------------------------------
-----------

Package name: mutt
Summary: remote crash
Date

[ more ]  [ reply ]

******** AllMyVisitors PHP Code Injection vulnerability ********

Product : AllMyVisitors

Vendor : www.php-resource.net

Date : February 14, 2004

Problem : PHP Code Injection

Vendor Contacted ? : No

************************** Source ****************************

in /include/info.inc.php

[ more ]  [ reply ]

Application: Robot FTP Server

http://www.robotftp.com/

Versions: 1.0/2.0 beta 1

Platforms: Windows NT

Bug: Buffer Overflow

Exploitation: remote

Date: 15 Feb 2004

Author: gsicht

e-mail: nothing.king (at) firemail (dot) de [email concealed]

#################

[ more ]  [ reply ]

******** AllMyGuests PHP Code Injection vulnerability ********

Product : AllMyGuests

Vendor : www.php-resource.net

Date : February 14, 2004

Problem : PHP Code Injection

Vendor Contacted ? : No

************************** Source ****************************

in /include/info.inc.php

-

[ more ]  [ reply ]

[> Most fingerprint systems convert the fingerprint image into
[> what's called
[> a template. This is a numeric representation, but
[> comparision between
[> two templates is not as simple as "==". Different portions of the
[> template represent different minutae on the fingerprint, and
[> an

[ more ]  [ reply ]

Just a thought:

Has anyone given any consideration that maybe this source is trojanized?

It's obviously pirated, since MS probably did not release it to the general
public.
(At least they have not made a public announcement to that effect, unless I
am mistaken
and that is always a possibility)

No

[ more ]  [ reply ]

Hi!

Am Wed, Feb 11, 2004 at 01:49:30PM +0100, Peter J. Holzer wrote:
> Right. On Unix "WEB-INF" and "WEB-INF.." are two different, legal file
> names. On Windows, trailing dots seem to be ignored, so "WEB-INF" and
> "WEB-INF.." are just two names for the same file. This also works if the
> filename

[ more ]  [ reply ]

Gadi Evron wrote:

> I never believed in 0-days.
<snip>
> but now... I don't know.

I can assure you 0-days do and have existed for a long time. In the past the
true l33t h4x0rs would turn their creations over to the kiddies when they
came up with something better to use. Today they do it when a pa

[ more ]  [ reply ]

> That's not actually correct. Most network protocols use the
> "Distinguished Encoding Rules" (DER) not the "Basic Encoding Rules"
> (BER). BER is an abomination and should never, ever have been in
> the standard; the only protocol commonly used over IP that uses BER
> is LDAP, because it desce

[ more ]  [ reply ]

----- Original Message -----
Sent: Wednesday, February 11, 2004 2:04 PM
Subject: RE: EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption

> At the risk of boring everyone with thoughts of "obsolete" technology, I
> note that Win98SE systems with Internet Explorer 6 SP1 and all current
fix

[ more ]  [ reply ]

On Thu, 2004-02-12 at 19:59, Víctor wrote:
> dont blame me... the ring0_src is the linux kernel ... sorry about that
>
> Check this out
>
> http://heim.ifi.uio.no/~mortehu/files.txt
>

well, it looks like University of OSLO has it figured out. That URL is
not valid.

-b

[ more ]  [ reply ]

This was sent to ntbugtraq but it might have some usefulness for bugtraq
readers too.

--
Top security experts. Cutting edge tools, techniques and information.
Vancouver, Canada April 21-23 2004 http://cansecwest.com
pgpkey http://dragos.com/ kyxpgp

[ more ]  [ reply ]

On Wed, Feb 11, 2004 at 07:04:31PM -0000, Boyce, Nick wrote:
> version: 4.4.3388
[snip]
> The file versions for MSASN1.DLL listed in
> http://www.microsoft.com/technet/security/bulletin/MS04-007.asp
> are all of the form 5.m.nnnn.x, so it may be that the Win98
> version is so much older that it d

[ more ]  [ reply ]